下面是採訪的內容: Linux.com readers might know Kurt Seifried as the author of the Linux Administrators' Security Guide or proprietor of the popular security mailing list. In this interview, he gives his views on how security in Linux has been stacking up and where it's lacking, what users can do to secure their systems, and whether every admin needs to know much about security.
Over the years Seifried has made a name for himself in the world of Linux security, and he's not resting on past accomplishments. He's part of the technical team at iDefense/Verisign, which he says "allows me to spend most of my time keeping on top of all the current security threats." Seifried is also working on a new site called RiskBloggers.com, a blog/magazine with articles on security and risk.
Linux.com: Is it true that you're planning to launch a Linux-specific security list soon?
Kurt Seifried: Yeah, "as soon as I have time"? . It'll basically be all the vendor lists (Debian, Slackware, etc.) collated into one, so there will be a lot of overlap since they tend to ship the same software, but since some vendors are faster than others for shipping security updates, it'll also provide a heads up.
Lc: Linux has been around for a good 15 years now. How has the area of Linux security changed in that time?
KS: It's matured significantly. Projects like SELinux and StackGuard (formerly SubDomain) have really had an impact.
I use SELinux on my servers now and it really allows me to lock down Internet-facing services like Apache. There's also a lot more software -- the average Linux installation when I started was 50-100 megabytes (about 50-70% of my available hard drive at the time). Now, I typically install 1-2 gigabytes worth of software (less than 1% of my available hard drive space now). Added complexity and size means more potential holes for attackers to exploit.
Lc: Last year, Microsoft claimed that Linux security is a "myth" and that Linux was "too immature" to use for mission-critical computing. Is there any truth to that?
KS: Microsoft claims a lot of things. Most large companies claim a lot of things. Remember Oracle's "unbreakable" ad campaign? Remember Microsoft saying they had addressed buffer overflow in Windows and that wouldn't be a problem anymore? It's the nature of the industry, there is a lot of mud throwing (aka FUD).
Lc: Security myths or not, Linux is more popular today than its ever been, especially for mission-critical computing. Does this growing popularity change anything from a security perspective?
KS: Yes. The biggest change I think is the level of auditing. For example, the recent Month of Kernel Bugs found numerous issues in the Linux kernel's support for various filesystems, which can lead to local denial of services or code execution.
Unlike, say, the OpenBSD Project, which has been auditing their code base exhaustively for a long time, the Linux code base is still relatively messy in that respect, but it's getting better. Lc: What are the big issues in Linux security today?
KS: Code quality continues to be abysmal. Known security issues like buffer overflow, and even simple file creation issues continue to plague us. It's downright embarrassing when 20-year-old programming errors continue to occur.
Lc: As Linux usage grows among end users, are we going to see more malware or does Linux have immunity to that?
KS: Linux certainly is not immune, but it is highly resistant.
Let me put it this way: would I worry about malware on servers? Not really. Would I worry about home users doing silly things that get them infected? It's possible. However, a well built and configured system with a user that is not allowed admin access would be relatively immune to such attacks.
Lc: Are Linux users generally at more or less risk than users of other OSes?
KS: Depends how you define risk for one thing. Simply plugging an unpatched Linux box with a default install of your favorite distro is safer than plugging in an unpatched Windows box (which will be attacked and compromised, usually in less than half an hour).
If you run vulnerable services on your machine, or you engage in unsafe Internet usage [such as] opening and executing email attachments [or] surfing the Web with older browsers that have well known issues, chances are you'll run into problems regardless of the OS.
Lc: There's so many distributions out there. Can someone still be a "Linux security" expert today without having to be on top of all the nuances in all the many distributions, or is this another layer of complexity they have to know?
KS: Well, the good news is that most Linux systems are pretty similar. You have the same class of vulnerabilities and attacks in most cases: poor file permissions, badly written applications, etc.
There are, of course, differences (Where the heck is config file X? And why did they allow this service by default?), but once you learn the core fundamentals, how to read man pages, and probably most importantly of all how to use Google, you should be ok.
Lc: Security-wise, are all distributions created equal, or are some better than others?
